Hi, On Fri, Mar 03, 2006, Michael Stone wrote: > You really seem to have some sort of tunnel vision.
Don't be insulting. You didn't make any effort to encompass my vision, I made some and gave you some points. I explained why I felt this way. You simply dismiss these points because no-one has a MacOSX on your network. I can tell you I saw plenty of advertized services at FOSDEM, I see some at home from my MacOSX, I saw some at my office... This is nowhere near your point of view of a small set of privileged people which you never saw, this is what I would call a mass-market technology. > IMO, most people > won't wonder why they didn't get rhythmbox because they won't care. > Those that do can simply install it. I think you're confusing gnome and gnome-desktop-environment. People wanting the GNOME desktop, and only that should install gnome-desktop-environment. gnome is a much wider set, pulling stuff like evolution, or gnome-office. > Well, you don't like the idea of changing the package. Fine. But now you > both won't change the package *and* insist that it *must* be installed > by default for anyone who wants a gnome desktop? Again, you seem to miss the point of gnome versus gnome-desktop-environment. > >You don't want to stop GNOME to want features as simple as > >file-sharing. > I expect that someone should have to turn that on. You're suggesting > gnome take a step *backward* from a security perspective while the > industry is moving in the other direction. Right, someone turns that on, exactly like someone must explicitely turn on sharing of his music in Rhythmbox. But browsing of remote shares is enabled by default. Do you consider Apple part of "the industry"? > >It's quite natural for people to get a webserver when they install a > >webapp such as phppgadmin, yet apache2 does not only listen on lo by > >default, > And phppgadmin doesn't get installed by default when you say you want a > desktop system, does it? (A better policy for handling *all* daemons is > actually a good thing long term, but holding the line for desktops is a > least a step in the right direction.) Neither does rhythmbox if you select gnome-desktop-environment. You completely ignore my proposals, which were to help you offer the security-oriented distro you want, without choping away the feature-encompassing GNOME I want. I talked of this with a lot of people at FOSDEM, they were all developers and all understood what it meant to have a port open. Some of them suggested the solutions I proposed to you (and that you didn't even bother to comment on), but all of them thought it was completely ok to have avahi pulled in this way. If you have a technical problem with the way deps are layered and the fact that avahi-daemon listen on the network from your security perspective, and I can't agree from a functional perspective, let's take the problem the next step (since evidently you wanted to bypass me by bringing that at the GNOME team scope), that is the TC. If you wish for this resolution, I can do the job of giving a short summary of the discussion with pointers to deb-sec and this bug for references, and open the discussion with the tech-ctte. If you don't, please state so and propose a reasonnable course of actions (hint: consensual), where I get some of the functionalities I want, and you get some of the security you want. Cheers, -- Loïc Minier <[EMAIL PROTECTED]>
